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Abstract. Specification theories as a tool in model-driven development 
processes of component-based software systems have recently attracted a 
considerable attention. Current specification theories are however qual- 
itative in nature, and therefore fragile in the sense that the inevitable 
approximation of systems by models, combined with the fundamental un- 
predictability of hardware platforms, makes it difficult to transfer conclu- 
sions about the behavior, based on models, to the actual system. Hence 
this approach is arguably unsuited for modern software systems. We 
propose here the first specification theory which allows to capture quan- 
titative aspects during the refinement and implementation process, thus 
leveraging the problems of the qualitative setting. 

Our proposed quantitative specification framework uses weighted modal 
transition systems as a formal model of specifications. These are labeled 
transition systems with the additional feature that they can model op- 
tional behavior which may or may not be implemented by the system. 
Satisfaction and refinement is lifted from the well-known qualitative to 
our quantitative setting, by introducing a notion of distances between 
weighted modal transition systems. We show that quantitative versions 
of parallel composition as well as quotient (the dual to parallel compo- 
sition) inherit the properties from the Boolean setting. 



1 Introduction 

One of the major current challenges to rigorous design of software systems is 
that these systems are becoming increasingly complex and difficult to reason 
about |40j . As an example, an integrated communication system in a modern 
airplane can have more than 10 900 distinct states [S], and state-of-the-art tools 
offer no possibility to reason about, and model check, the system as a whole. 

One promising approach to overcome such problems is the one of composi- 
tional and incremental design. Here the reasoning is done as much as possible 
at higher specification levels rather than at implementations; partial specifica- 
tions are proven correct and then composed and refined until one arrives at 
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an implementation model. Practice has shown that this is indeed a viable ap- 
proach [15141] . 

Specifications of system requirements are high-level finite abstractions of pos- 
sibly infinite sets of implementations. A model of a system is considered an imple- 
mentation of a given specification if the behavior defined by the implementation 
is implied by the description provided by the specification. 

Any practical specification formalism comes equipped with a number of oper- 
ations which allow compositional and incremental reasoning. The first of these is 
a refinement relation which allows to successively distill specifications into more 
detailed ones and eventually into implementations. In an implementation, all op- 
tional behavior defined in the specification has been decided upon in compliance 
with the specification. 

Also needed is an operation of logical conjunction which allows to combine 
specifications so that the systems which refine the conjunction of two specifica- 
tions are precisely the ones which satisfy both partial specifications. Refinement 
and conjunction together allow for incremental reasoning as specifications are 
successively refined and composed. 

For compositional reasoning, one needs an operation of structural composi- 
tion which allows to infer specifications from sub-specifications of independent 
requirements, mimicking at the implementation level e.g. the interaction of com- 
ponents in a distributed system. A partial inverse of this operation is given by 
the quotient operation which allows to synthesize a specification of the missing 
components from an overall specification and an implementation which realizes 
a part of the overall specification. 

Over the years, there have been a series of advances on specification theo- 
ries |2I12I17I21I35I37I4"2] . The predominant approaches are based on modal logics 
and process algebras but have the drawback that they cannot naturally embed 
both logical and structural composition within the same formalism |31) . Hence 
such formalisms do not permit to reason incrementally through refinement. 

In order to leverage these problems, the concept of modal transition sys- 
tems was introduced [21] • In short, modal transition systems are labeled transi- 
tion systems equipped with two types of transitions: must transitions which are 
mandatory for any implementation, and may transitions which are optional for 
implementations. It is well established that modal transition systems match all 
the requirements of a reasonable specification theory (see also [35] for motiva- 
tion), and much progress has been made using modal specifications, see e.g. [I] 
for an overview. Also, practical experience shows that the formalism is expressive 
enough to handle complex industrial problems [15141] . 

As an example, consider the modal transition system shown in Figure [T] 
which models the requirements of a simple email system in which emails are 
first received and then delivered. Before delivering the email, the system may 
check or process the email, e.g. for en- or decryption, filtering of spam emails, 
or generating automatic answers using has an auto-reply feature (see also [25]). 
Must transitions, representing obligatory behavior, are drawn as solid arrows, 
whereas may transitions, modeling optional behavior, are shown as dashed ar- 
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Fig. 1. Modal transition system modeling a simple email system, with an optional 
behavior: Once an email is received it may e.g. be scanned for containing viruses, or 
automatically decrypted, before it is delivered to the receiver. 



Fig. 2. An implementation of the simple email system in Figure[T]in which we explicitly 
model two distinct types of email pre-processing. 



rows; hence any implementation of this email system specification must be able 
to receive and deliver email, and it may also be able to check arriving email 
before delivering it. No other behavior is allowed. 

Implementations can also be represented within the modal transition system 
formalism, simply as specifications without may transitions. Hence any imple- 
mentation choice has been resolved, and implementations are plain labeled tran- 
sition systems. Formally, for a labeled transition system to be an implementation 
of a given specification, we require that the states of the two objects are related 
by a refinement relation with the property that all behavior required (must) by 
the specification has been implemented, and that any implementation behavior 
was permitted (may) in the specification. Figure [2] shows an implementation of 
our email specification with two different checks, leading to distinct processing 
states. Note that a simple system without any check at all, hence only able to 
receive and deliver email, is also an implementation of the specification. 

Motivated by applications to embedded, real-time and hybrid systems, the 
modal transition system framework has recently been extended in order to reason 
about quantitative aspects j7!30j . With these applications in mind, it is necessary 
not only to be able to specify quantitative aspects of systems, but also to for- 
malize successive refinement of quantities. To illustrate this extension, consider 
again the modal transition system of Figure [TJ but this time with quantities, see 
Figure [31 Every transition label is extended by integer intervals modeling upper 
and lower bounds on time required for performing the corresponding actions. 
For instance, the reception of a new email (action receive) must take between 
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deliver, [1, 4] 
receive, [1, 3] 



deliver, [1,2] 



Fig. 3. Specification of a simple email system, similar to Figure [T] but extended by 
integer intervals modeling time units for performing the corresponding actions. 

one and three time units, the checking of the email (action check) is allowed to 
take up to five time units. 

In this quantitative setting, there is a problem with using a Boolean notion 
of refinement (as is done in [7130] ): If one only can decide whether or not an im- 
plementation refines a specification, then the quantitative aspects get lost in the 
refinement process. As an example, consider the email system implementations 
in Figure |U Implementation (a) does not refine the specification, as there is an 
error in the discrete structure of actions: after receiving an email, the system 
can check it indefinitely without ever delivering it. Also implementations (b) 
and (c) do not refine the specification: (b) takes too long to receive email, (c) 
does not deliver email fast enough after checking it. Implementation (d) on the 
other hand is a perfect refinement of the specification. 

Intuitively however, implementations (b) and (c) conform much better to the 
specification than implementation (a) in Figure [U there are no discrepancies in 
the discrete structure, only the weights are off by 1. Additionally, the quantitative 
error in implementation (c) occurs later than the one in (b). Hence one may 
want to say that implementation (d) is in perfect refinement of the specification, 
(c) is slightly off, (b) is a bit more problematic, whereas implementation (a) is 
completely unacceptable. A Boolean notion of refinement does not allow to make 
such distinctions between different negative answers. 

To sum up, a Boolean notion of refinement is too fragile for quantitative 
formalisms. Minor and major modifications in the implementation cannot be 
distinguished, as both of them may reverse the Boolean answer. As observed 
in pp, this view is obsolete; engineers need quantitative notions on how modified 
implementations differ. The introduction of such a quantitative notion of refine- 
ment, and its consequences for the specification theory, are the subject of this 
paper. 

In the above examples, the transition weights have expressed the time used 
to perform the associated action. However our formalism is abstract enough 
to also model other quantitative aspects such as e.g. energy consumption or 
financial aspects. For instance, Figure[5]presents a simple electronic wiper control 
component for a car, with a normal mode and an optional fast mode. Integer 
intervals express the allowed energy consumption of each action (using abstract 
energy units). 
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(d) 

Fig. 4. Four implementations of the simple email system in Figure [3] 

wipe, [2, 4] 



normal, 




', fast, [0, 1] 



wipeFast, [4, 8] 



Fig. 5. Weighted modal transition system modeling a simple wiper control component 
of a car. 



Depending on the precise application of our quantitative formalism, there 
are a few choices which one has to make. One such choice is the precise defini- 
tion of quantitative refinement, as the way quantitative discrepancies between 
specifications is measured e.g. depends on whether differences accumulate over 
time or the interest more lies in the maximal individual differences. Another 
choice is how to combine quantities during structural composition: when mod- 
eling e.g. energy consumption, they should be added; when modeling timing 
constraints, some form of conjunction should be used. To simplify presentation, 
we develop the theory in this paper for one specific kind of quantitative refine- 
ment and one specific choice of composition; a more general treatment is deferred 
to future work. 



To facilitate quantitative reasoning on specifications and implementations, 
we introduce a real-valued distance between specifications such that perfect re- 
finement corresponds to distance 0, small quantitative discrepancies give rise to 
small distances, and differences in the discrete control structure correspond to 
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distance oo. For the examples in Figs. [3] and |U we will hence deduce the following 
chain of decreasing distances: 

oo = d(I u S) > d(h,S) > d(I 3 ,S) > d(h,S) = 

Our distance is discounted in the sense that behaviors which occur d steps in 
the future are discounted by a factor X d , where A with < A < 1 is a fixed 
discounting factor. 

Using a reduction to discounted games [46] , we show that this so-called modal 
distance is computable in NP n CO-NP. As any specification can be seen as the 
(generally infinite) set of implementations which are in perfect refinement, we 
also have a natural notion of so-called thorough distance between specifications 
which is given by the (Hausdorff) distance between their implementation sets; 
we show that computing through distances is ExPTiME-hard. 

Replacing Boolean refinement by distances has an impact on operations be- 
tween specifications. As a second contribution of this paper, we propose quan- 
titative versions of structural composition and quotient which inherit the good 
properties from the Boolean setting. We also propose a new notion of relaxation 
which is inherent to the quantitative framework and allows e.g. to calibrate the 
quotient operator: If the overall specification is too restrictive with respect to 
a partial implementation to synthesize a meaningful specification of the miss- 
ing components, the overall specification may be relaxed to facilitate a better 
quotient. 

However, there is no free lunch, and working with distances has a price: some 
of the properties of logical conjunction and determinization are not preserved 
in our quantitative setting. More precisely, conjunction is not the greatest lower 
bound with respect to refinement distance as it is in the Boolean setting, and 
deterministic overapproximation is too coarse. In fact we show that this is a 
fundamental limitation of any reasonable quantitative specification formalism. 

Our final contribution consists of showing that a quantitative interpretation 
of Hcnnessy-Milner logic provides a logical characterization which is sound with 
respect to refinement distance and complete for the disjunction-free fragment. 

Related work. The objective of the paper is to propose a new complete quantita- 
tive modal specification theory, which exploits a notion of distance between speci- 
fications. This distance builds on previous work of some of the authors [26 27 28 32 42143] . 
For the sake of completeness, we briefly put it in perspective with other notions 
of distances proposed, particularly but not exclusively for probabilistic systems, 
in recent years. These include [44145] which develop a theory of metric transition 
systems and introduce the notion of compact branching, 18 19 22 36 which in- 
troduce discounting distances for Markov decision processes, and [13120] which 
generalize these to a game setting. 

For a non-probabilistic setting of metric transition systems (different from 
van Breugel's), notions of discounting linear and branching distances are devel- 
oped in [J, and an important theoretical contribution is [10) which develops a 
theory of directed distances, or hemimetrics as they have come to be called, and 
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relate completion of hemimetric spaces to Yoneda embeddings (see also [33134] ). 
Another, language-based approach to quantitative verification, related to the 
theory of semiring- weighted automata [23 24 125] , can be found in [11114] . 

Structure of the paper. The paper starts by introducing our quantitative for- 
malism which has weighted transition systems as implementations and weighted 
modal transition systems as specifications. In Section [3] we introduce the dis- 
tances we use for quantitative comparison of both implementations and specifi- 
cation, and Section [?] provides complexity results for the computation of these 
distances. Section \5\ is devoted to a formalization of the notion of relaxation 
which is of great use in quantitative design. In Section [6] we see some inherent 
limitations of the quantitative approach, and Section [7] shows that structural 
composition works as expected in the quantitative framework and links relax- 
ation to quotients. Section [5] finishes the paper by providing logical characteri- 
zations of refinement distance. 

2 Weighted Modal Transition Systems 

In this section we present the formalism we use for implementations and specifi- 
cations. As implementations we choose the model of weighted transition systems, 
i.e. labeled transition systems with integer weights at transitions. Specifications 
both have a modal dimension, specifying discrete behavior which must be im- 
plemented and behavior which may be present in implementations, and a quan- 
titative dimension, specifying intervals of weights on each transition within are 
permissible for an implementation. 

Let I={[i,!(] i£ZU {— oo},y € TL U {oo},x < y} be the set of closed 
extended-integer intervals and let E be a finite set of actions. Our set of spec- 
ification labels is Spec = S X I, pairs of actions and intervals. The set of im- 
plementation labels is defined as Imp = S x {[x, x] | x G TL] « £ x TL. Hence 
a specification imposes labels and integer intervals which constrain the possible 
weights of an implementation. 

We define a partial order on I (representing inclusion of intervals) by [x, y] C 
[x',2/'] if x' < x and y < y', and we extend this order to specification labels 
by (a, I) C {a', I') if a = a' and / C J'. The partial order on Spec is hence a 
refinement order; if k\ C k^ for k\,ki G Spec, then no more implementation 
labels are contained in k\ than in ki. 

Specifications and implementations are defined as follows: 

Definition 1. A weighted modal transition system (WMTS) is a quadruple 
(S,s°, 

---», — >) consisting of a set of states S with an initial state s° G S and must 
( — >) and may (—■*) transition relations — >,-—* C 5 x Spec x S such that 
for every (s, k,s') G — > there is (s,£, s') G ---> where k C £. A WMTS is an 
implementation if — > = ---> CSx Imp x S. 
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Note the natural requirement that any required (must) behavior is also al- 
lowed (may) above, and that implementations correspond to standard integer- 
weighted transition systems, where all optional behavior and positioning in the 
intervals has been decided on. 

A WMTS is finite if S and (and hence also — >) arc finite sets, and it is de- 
terministic if it holds that for any s G S and a € S, (s, (a, ti) , (s, (a, I2), £2) G 

imply I\ = I2 and t\ =t%. Hence a deterministic specification allows at most 
one transition under each discrete action from every state. In the rest of the pa- 
per we will write s --■> s' for (s,k,s') G — » and similarly for — y, and we 
will always write S = (S, s°, — ►) or Si = (S h s^, —->•;, — >i) for WMTS and 
/ = (I, i , — >) for implementations. Note that an implementation is just a usual 
integer-weighted transition system. 

Our theory will work with infinite WMTS, though we will require them to be 
compactly branching. This is a natural generalization of the standard requirement 
on systems to be finitely branching which was first used in [45) ; see Definition [7] 
below. 

The implementation semantics of a specification is given through modal re- 
finement, as follows: 

Definition 2. A modal refinement of WMTS Si, S2 is a relation R C Si x S2 
such that for any (si, S2) G R 

— whenever si --+1 t\ for some ki G Spec, ti G Si, then there exists S2 
for some k2 G Spec, t% G S2, such that ki C k2 and (ii,i2) G R, 

— whenever S2 -^2 ii for some kz G Spec, t2 G S2, then there exists si 
for some ki G Spec, t\ G Si, such that ki C k2 and (tijia) G R. 

We write S\ < m S2 if there is a modal refinement relation R for which (sj, s®) G 
R. 

Hence in such a modal refinement, behavior which is required in S2 is also 
required in Si, no more behavior is allowed in Si than in S2, and the quantita- 
tive requirements in Si are refinements of the ones in S^- The implementation 
semantics of a specification can then be defined as the set of all implementations 
which are also refinements: 

Definition 3. The implementation semantics of a WMTS S is the set [5] = 

{I I I "Sim S and I is an implementation] . 

This is conform with the intuition developed in the introduction: if / G \S\, 
then any (reachable) behavior i ^> j in / must be allowed by a matching 
transition s t in S with I < x < r; correspondingly, any (reachable) required 
behavior s °- L ^4 I t in S must be implemented by a matching transition i j in 
/ with I < x < r. 
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3 Thorough and Modal Refinement Distances 

For the quantitative specification formalism we have introduced in the last sec- 
tion, the standard Boolean notions of satisfaction and refinement are too fragile. 
To be able to reason not only whether a given quantitative implementation sat- 
isfies a given quantitative specification, but also to what extent, we introduce a 
notion of distance between both implementations and specifications. 

We recall some terminology. Let R>o U {00} denote the extended positive 
reals, let X be a set and d : X x X —> R>o U {00}. Then d is called 

— a hemimetric if d{x, x) = for all x € X (indiscernibility of identicals) and 
d{x, y) + d{y 1 z) > d(x, z) for all x, y, z e X (triangle inequality); 

— a pseudometric if it is a hemimetric and additionally, d{x, y) — d{y, x) for 
all x, y € X (symmetry); 

— a metric if it is a pseudometric and additionally, d{x, y) = implies x — y 
for all x, y € X (identity of indiscernibles) 

Note that as our (hemi-, pseudo-)metrics may take the values 00, some authors 
will refer to them as extended (hemi-, pseudo-) metrics. 

The symmetrization of a hemimetric d is the pseudometric d : X x X — > 
R>o U {00} given by d(x,y) — max(d(x,y),d(y,x)); this is the smallest of all 
pseudometrics d' on X for which d < dl . Given hemimetrics rfonX and d! on an- 
other set X' , the product distance D on X x X 1 is defined by D((x, x'), (y, y')) = 
d(x,y)+d(x',y'). 

We first define the distance between implementations; for this we introduce 
a distance on implementation labels by 



In the rest of the paper, let A G R with < A < 1 be a discounting factor. 

Definition 4. The implementation distance d : Ii X I2 — > lR>o U {00} between 
the states of implementations I± and I2 is the least fixed point of the equations 



Lemma 1. The implementation distance is well-defined, and is a pseudometric. 

Proof. Except for the symmetrizing max operation, this is precisely the accumu- 
lating branching distance from [32143] . Because of A < 1 , the equations above de- 
fine a contraction (with Lipschitz constant A), so the Banach fixed point theorem 
(for extended metric spaces) applies. Hence besides the fixed point d{i\, 1%) = 00, 




(1) 




We define d(Ii, 1 2) 



d(<?,<S). 
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Fig. 6. Two weighted transition systems with branching distance d(7i,/2) = 18. 

the contraction has at most one other fixed point, i.e. there exists indeed a unique 
least fixed point. We refer to [32) for a more detailed proof. 

Symmetry of d is clear, and so is the property d(i, i) — 0. The triangle 
inequality can be shown inductively, cf. |32j . □ 

We remark that besides this accumulating distance, other interesting system 
distances may be defined depending on the application at hand, cf. [43126127] . 
but we concentrate here on this distance and leave a generalization to other 
distances for future work. 

Example 1. Consider the two implementations I\ and 1% in Figure[5]wrth a single 
action (elided for simplicity) and with discounting factor A = .9. The equations 
in the illustration have already been simplified by removing all expressions that 
evaluate to oo. What remains to be done is to compute the least fixed point of 
the equation d(fci,i2) = max{2 + .9 d(k\, 12), 0}. Clearly is not a fixed point, 
and solving the equation d{ki,i2) = 2 + .9d(k\,i2) gives d{ki,i2) — 20. Hence 
d(i u i 2 ) = max{3, .9 • 20} = 18. 

Note that the interpretation of the distance between two implementations de- 
pends entirely on the application one has in mind; but it can easily be shown 43J 
that the distance between two implementations is zero if and only if they are 
weighted bisimilar. The intuition is then that the smaller the distance, the closer 
the implementations are to being bisimilar. 

To lift the implementation distance to specifications, we need first to consider 
the distance between sets of implementations. Given implementation sets X%, X2, 
we define 

d(li,l 2 ) = sup inf d(Ji,J 2 ) 
lieii hei 2 

Note that in case I2 is finite, we have that for all e > 0, d(Xx,X2) < £ if and only 
if for each implementation I\ 6 X\ there exists I2 & I2 for which d(I\, I2) < £, 
hence this is quite a natural notion of distance. Especially, d(X\,X2) = if X\ 
is a subset of X2 up to bisimilarity. For infinite I2 , we have the slightly more 
complicated property that d(X\,X2) < e if and only if for all 5 > and any 
I\ e Ii, there is I 2 € X2 for which d(I\, I2) < £ + S. 

Also remark the similarity of this definition to the one of Hausdorff distance 
between subsets of a metric space, see e.g. [31 Sect. 3.16]. Crucially however, our 
distance is missing the symmetrizing max operation of Hausdorff distance, hence 
it is asymmetric. We may well have d(Ti,Xi) 7^ d(X 2 ,Xi) and will thus prefer to 
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speak of the distance from X\ to T 2 rather than between I\ and I 2 . We lift this 
distance to specifications as follows: 

Definition 5. The thorough refinement distance between WMTS Si and S 2 is 
defined as d t (S u S 2 ) = d([Si], [5 2 ]). We write Si <£ S 2 ifd t (S 1 ,S 2 ) < e. 

Lemma 2. The thorough refinement distance is a hemimetric. 

Proof. To show that dt{S,S) = is trivial, and the triangle inequality dt (Si , S 2 ) + 
dr(S 2 , S3) > dt(Si, S3) follows like in the proof of [3J Lemma 3.72]. □ 

Indeed this permits us to measure incompatibility of specifications; intu- 
itively, if two specifications have thorough distance s, then any implementation 
of the first specification can be matched by an implementation of the second up 
to e. Also observe the special case where Si — I\ is an implementation: then 
d t {I\,S 2 ) — inf/ 2 g|s 2 ] d{Ii, I2), which measures how close I\ is to satisfy the 
specification S 2 . 

To facilitate computation and comparison of refinement distance, we intro- 
duce modal refinement distance as an overapproximation. We will show in The- 
orem [3J below that similarly to the Boolean setting [5] , computation of thor- 
ough refinement distance is ExPTiME-hard, whereas modal refinement distance 
is computable in NP n CO-NP. 

First we generalize the distance on implementation labels from Equation fl} 
to specification labels, again using a Hausdorff-type construction. For k, £ € Spec 
we define 

ds P ec(k,£)= sup inf d\ mp (k',£'). 

fc'Cfc,fc'Glmp £'Ql,l'£\mp 

Note that ds pe c is asymmetric, and that ds pe c(k,() — if and only if k E £■ 
Also, ds P ec(k,£) — d\ mp (k, i) for all k,£ 6 Imp. In more elementary terms, we can 
express dspec as follows: 

ds P ec((ai,h), (a 2 ,I 2 )) = 00 if a\ ^ a 2 
ds P ec((a, [xi,yi]), (a, [x 2 ,y 2 ])) = max(i 2 - Xx,yt - y 2 ,0) 

Definition 6. Let Si, S 2 be WMTS. The modal refinement distance d m : Si x 
5*2 — > M>o U {00} from states of Si to states of S 2 is the least fixed point of the 
equations 

!sup inf ds pec (ki,k 2 ) + \d rn (ti,t 2 ), 
fci kn 
Sl---»ltl S 2 -- + 2*2 
sup inf d Sp ec(ki 7 k 2 ) + Xd m {ti,t 2 ). 
S2^>2<2 Si >iti 

We define d m (Si,S 2 ) = d m (si, s 2 ), and we write Si < e m S 2 if ' d m (Si, S 2 ) < e. 
Lemma 3. The modal refinement distance is well-defined, and is a hemimetric. 
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Proof. Like in the proof of Lemma [I] the argument for existence of a unique 
least fixed point to the defining equations is that they define a contraction. The 
triangle inequality can again be shown inductively, and the property d m (s, s) = 
is clear. □ 

We can now give a precise definition of compact branching; for this we need 
the notions of symmetrization of a hemimetric and of product distance as defined 
on page GO 

Definition 7. A WMTS S is said to be compactly branching if the sets {(s' , k) | 
s —■* s'},{(s',k) | s s'} C S x Spec are compact under the symmetrized 
product distance d m x ds P ec for every s G S. 

The notion of compact branching was first introduced, for a formalism of 
metric transition systems, in [45 . It is a natural generalization of the standard 
requirement on transition systems to be finitely branching to a distance setting; 
we will need it for the property that continuous functions defined on the sets 
{(s',k) | s --■> s'},{(s',fc) | s — s'} C S x Spec, for some s G S, attain their 
infimum and supremum, see Lemma [5] and its proof below. 

Thus, we shall henceforth assume all our WMTS to be compactly branching. 
The following lemma sets up some sufficient conditions for this to be the case. 

Lemma 4. Let S be a WMTS and define the sets Li{s, a), Ui(s, a) for all s € S , 
a G S and i G {1, 2} by 

ii(s,«) = {^- y *'}, 
U 1 {s,a) = {r\s a ^ s'}, 

Then S is compactly branching if 

— for all s G S, any Cauchy sequence (s' n ) n ^ in {s' \ s --■» s'} (with pseu- 
dometric d m ) has lim„_ s . 00 s n G {s' \ s --■» s'}, and likewise, any Cauchy 
sequence (s' n ) n eN * n W I s — ^ s '} has linin^oo s n G {s' | s — > s'}, and 

— for all s G S , a G £ and i G {1, 2}, Li is finite or -co G Li, and Ui is finite 
or oo G Ui . 

Note that the first property mimicks (and generalizes) standard properties 
of finite branching and saturation, cf. [391 Sect. 3.3]. The intuition is that if s 
has (either may or must) transitions to a converging sequence of states, then it 
also has a transition to the limit. 

Proof. The first condition implies that the sets {s' G S \ s — » s'} and {s' G 
S | s — > s'} are compact in the pseudometric d m for all s G S. By Tychonoff's 
theorem, products of compact sets are compact, so we need only show that the 
second condition implies that the sets {k G Spec | s s'} and {k G Spec | 
s — ^ s'} are compact in the pseudometric Js pec for every s G S. 

Let s G S. By definition of ds pe c, the sets {k \ s --■» s'}, {k \ s — s'} 
fall into connected components {/ | s s 1 }, {L \ s ^> s'} for all a G S, 



L 2 (s,a) = {l\ s m ] s'}, 
U 2 (s,a) = {r\ S a -H ] s'}. 
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hence the former are compact if and only if all the latter are. These in turn 
are compact if and only if the four sets L,, Ui in the lemma, collecting lower 
and upper bounds of intervals, are compact. Now interval bounds are extended 
integers, so a sequence in Li or Ui converges if and only if it is eventually stable 
or goes towards — oo or oo. If the sets are finite, eventual stability is the only 
option; if they are infinite, they need to include the limit points — oo (for the 
lower interval bounds in Li) or oo (for the upper interval bounds in Ui). □ 

There is a powerful proof technique introduced for branching distances be- 
tween implementations in |43j that we here extend to modal refinement dis- 
tance. We define a modal refinement family as an R>o-indexed family of relations 
R = {R E C Si x 52 | e > 0} such that for any e and any (si, s 2 ) € R £l 

— whenever s\ ---> t\ for some k\ G Spec, t\ G Si, then there exists s 2 t% 
for some k 2 G Spec, t% G S2, such that ds pe c(ki, k 2 ) < £ and (ti,t 2 ) € Re' f° r 
some e' < A _1 (e — ds pec {ki, k 2 )), 

— whenever S2 — ^ t 2 for some k 2 G Spec, ti G 52, then there exists s\ t\ 
for some k% G Spec, t\ G Si, such that dspec(fci,fe) < £ and (ti,t 2 ) G for 
some e' < A _1 (e — dspec(&i> 

Note that modal refinement families are 

— upward closed in the sense that (si,S2) G i? e implies that (si,s 2 ) G i? £ ' for 
all e' > £, and 

— downward closed in the sense that for any set E C lR>o, if (si,S2) G J2 e 
for all £ G 25, then also (si,S2) G -RinfB- This property follows from the 
assumption that our WMTS are compactly branching. 

Following the proof strategy developed in [43] for implementations, we can 
show the following characterization of modal refinement distance by modal re- 
finement families: 

Lemma 5. Si < £ m S2 if and only if there is a modal refinement family R with 

(«§,«§) ei^efl. 

Proof. First, assume that Si <f n S2, i.e. d m (s1,s 2 ) ^ e J an d define a relation 
family R = {R s \ 5 > 0} by R s = {(«i,fl 2 ) e 5i x 5 2 | d m ( Sl ,s 2 ) < 6} for 
all 6 > 0, then (s^Sj) G 2? e holds by assumption. We show that i? is a modal 
refinement family. Let (si, S2) G i?a for some 6 > 0, then by definition we know 
that c? m (si, s 2 ) < (5. Assume si --+1 <i. From d m (si, S2) < S we can infer that 

inf d S pec{ki,k 2 ) + Xd m (ti,t 2 ) < 5. 

S2~-+2*2 

Hence, because S 2 is compactly branching, there exists a may-transition s 2 --■* t 2 
such that ds P ec(ki,k 2 ) < 5 and d m (ti,t 2 ) < X^ 1 (S — ds pec (ki , k 2 )) . The latter 
implies that {t\,t 2 ) G Rg> for some 5' < X^ 1 (5 — ds pec (ki, k 2 )) which was to be 
shown. The argument for the other assertion for must-transitions is symmetric. 
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Fig. 7. Incompleteness of modal refinement distance: dt(Si, S2) = 0, but d m (Si, S2) = 
00. 



This proves that there is a modal refinement family R such that (s°, s 2 ) € i? e € 
i?. 

For the reverse direction, assume that (s^s-j) € i? £ G R for some modal 
refinement family R = {i? £ | e > 0}. We prove that (si,s 2 ) € -R5, for some 
S > 0, implies d m (si,S2) < 5. The claim Si <f n S2 then follows from the 
assumption (si,s 2 ) G R £ . 

To this end, observe that the space of functions A — [Si x S2 — » lR>o U {00}] 
forms a complete lattice, when the partial order <z\ is defined such that for 
/,/' G A, f < A f iff /(si,s 2 ) < f(si,s 2 ) for all s x e Si, s 2 e S 2 . Moreover, 
since max, sup, inf and + are monotone, the function D defined for all / <E A by 



D(f) = max 



sup inf ds pe c(ki,k 2 ) + Xf(t 1 ,t 2 ), 

51— +1*1 S 2 — >2*2 

sup inf d S pec(ki,k 2 ) + \f(h,t 2 ) 

fc 2, 1 fc l, . 

52 >2*2 Si >1*1 



is a monotone endofunction on hence by Tarski's fixed point theorem, D has 
a least fixed point. Now let us define h(si,s 2 ) — inf{<5 | (si, s 2 ) £ Rs £ R}, and 
since Rs is downward closed, we have that (si,S2) £ Rh(s 1 ,s 2 )- By showing that 
h is a pre-fixed point of D, i.e. that D(h) <a h, we get that (si, s 2 ) € i?5 implies 
that d m (si, s 2 ) < 8, since h(si, s 2 ) < S and d m (si, s 2 ) < h(si, s 2 ). 

Since (si,s 2 ) £ Rh(s 1 ,s 2 ) every si ---> can be matched by some S2 s' 2 
such that dspec(^i) fc 2 ) + A5' < h(s%, s 2 ) for some 6' where (s[, s' 2 ) £ Rs>, implying 
M s i> s ;>) — but then also rfspec(fci) k 2 ) + Xh(s' 1 , s 2 ) < h(si,s 2 ). Similarly, every 
s 2 s 2 has a match si s'i such that ds pe c(ki, k 2 ) + Xh(s[, s' 2 ) < h(si, s 2 ). 
Hence we have D{h) <a h which was to be shown. □ 

The next theorems show that modal refinement distance indeed overap- 
proximates thorough refinement distance, and that it is exact for determinis- 
tic WMTS. Note that nothing general can be said about the precision of the 
overapproximation in the nondeterministic case; as an example observe the two 
specifications in Figure [7] for which d t (Si,S 2 ) = but d m (Si,S 2 ) — 00. 

Theorem 1. For WMTS Si , S 2 we have d t (S u S 2 ) < d m (Si,S 2 ). 

Proof. If d m (Si, S 2 ) — 00, we have nothing to prove. Otherwise, let R = {R e C 
Si x S2 I £ > 0} be a modal refinement family which witnesses <i m (Si,S2), 
i.e. such that (s5,s 2 ) £ R d rgi s 2 )> an< ^ ^ e [Si]- We have to expose I 2 £ 
[S 2 ] for which d(I u I 2 )<dZ(Si,S2). 
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Let i?i C Ii x Si be a witness for Ii < m Si, define R' £ = Ri o R e C Ii x S2 
for all e > 0, and let i?' = {i?^. | e > 0}. The states of I 2 = (J 2 , i 2 , Imp, — Kr 2 ) 
are 7 2 = S2 with i° = s°, and the transitions we define as follows: 

For any i\ —^ri x ji and any S2 £ S2 for which (ii,s 2 ) £ R' e £ R' for some e, 
we have s 2 - 2j >2 t 2 in S 2 with ds pe c(k[, k 2 ) < e and (ji,t 2 ) £ R' e , £ R' for some 
e' < A _1 (e - ds P ec(k'i, k 2 )). Write fc^ = (a'i,Xi) and fc 2 = (a 2 , [x 2 , y 2 }) , then we 
must have = 02. Let 

!x 2 if a/ x < £2 , 
x[ if x 2 < x\ < y 2 , (2) 
2/2 if x[ > y 2 

and k' 2 — (a 2 ,x 2 ), and put S2 -^>j 2 £2 in ^2- Note that 

ds P ec(fci,fc 2 ) = rfSpec(fci,fc2)- (3) 

Similarly, for any S2 ~^>2 t 2 in and any i\ £ 1\ with (ii, s 2 ) £ R' £ £ R 1 
for some e, we have ii ji with ds pe c(k[, k 2 ) < £ and (ji,t 2 ) € i?^, € ii' 

for some e' < A _1 (e — ds P ec(k[, k 2 ))- Write k[ = (a^a^) and fc 2 = (a 2 , [a; 2 , y 2 ]), 

define x 2 as in Q and fc 2 — ( a 2,x' 2 ), and put s 2 —^i 2 *2 in i 2 . 

We show that the identity relation idg 2 = {(52,^2) | s 2 £ S 2 } C S 2 X S2 
witnesses 7 2 <m $2- Let first s 2 — ^>/ 2 i 2 ; we must have used one of the two 
constructions above for creating this transition. In the first case, we have s 2 - k -->2 
t2 with k' 2 C fc 2 , and in the second case, we have s 2 — t 2 , hence also S2 --+2 t 2 , 
with the same property. For a transition S2 —^2 t 2 on the other hand, we have 
introduced S2 —^i 2 ^2 in the second construction above, with k' 2 E k 2 . 

We also want to show that the family R 1 is a witness for d( Ii , I 2 ) < d m (Si, S 2 ). 
We have s 2 ) £ R' dm ^ Sl g 2 \ — R\oR dm ^ SlS2 ^,so let (ii,s 2 ) £ R' £ £ R' for some 

e > 0. For any ii -^ L >i 1 ji we have s 2 ~ k - J >2 ti and s 2 -^>/ 2 £ 2 by the first part of 
our construction above, with ds pe c(k[, k' 2 ) — <ispec(fci, k 2 ) < £ because of ([3]), and 
also (ji,t 2 ) £ R' e , £ R' for some e' < A" 1 (e — dspec(fci, k 2 )) . For any S2 -^>/ 2 t 2 , 
we must have used one of the constructions above to introduce this transition, 
and both give us ii —^-^ ji with ds P ec{k[, k' 2 ) < e and (Ji,t 2 ) £ R' e , £ R' for 
some e' < A _1 (e — ds P ec(k[, k 2 )). □ 

The fact that modal refinement only equals thorough refinement for deter- 
ministic specifications is well-known from the theory of modal transition sys- 
tems |31j . and the special case of S 2 deterministic is important, as it can be 
argued [31] that indeed, deterministic specifications are sufficient for applica- 
tions. 

Theorem 2. If S 2 is deterministic, then dt(Si,S2) = d m (Si, 5^). 

Proof. If dt(Si, S 2 ) = 00, we are done by Theorem [T] Otherwise, let R = {R e | 
e > 0} be the smallest relation family for which 
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- (s?,s£) G R dt (s 1 ,s 2 ) and 

— whenever we have (si,s 2 ) G P e G P, Si — ^i ii, and s 2 -'-^2 t 2 , then 

(tl,t 2 ) € -RA- 1 ( £ -d Sp ec((a,/i),(aJ 2 )))- 

We show below that this definition makes sense (also that e— c?Spec((a, h), (a, 7 2 )) > 
in all cases), and that R is a modal refinement family. We will use the con- 
venient notation (si,Si) for the WMTS Si with initial state s° replaced by s\, 
similarly for (s 2 ,S 2 )- 

We first show inductively that for any pair of states (si,s 2 ) € R e € P we 
have e?t((si,/Si), (s 2 , 5 2 )) < e. This is obviously the case for s\ — s\ and s\ = s 2 , 
so assume now that (si, s 2 ) G P £ G P is such that dt((si, Si), (s 2 , S 2 )) < e and 
let 8l -'-h *!, s 2 i 2 . Let G [(ti.Si)] and Zi € /1. 

There is an implementation (pi, Pi) G [(si, Si)] for which pi ^\ qi and such 
that (q u Pi) < m (q[,P{)- Now 

dt((pi,Pi),(s 2 ,S2)) <*((pi,i , i),(*i,S , i))+dt((*i,S , i),(«2,S , 2 )) <e, 

hence we must have s 2 - 2 -^ 2 i 2 with ds pec ((a, £1), (a 2 , 7 2 )) < e. But then a' 2 = a, 
hence by determinism of S 2 , 7 2 = I 2 and i 2 = i 2 • 

The above considerations hold for any xi G I\, hence ds P ec((o, 7i), (a, h)) < 
e. Thus e — dspec((a, A), (a, 7 2 )) > 0, and the definition of P above is justified. 
Now let x 2 G 7 2 such that ds pe c((a, xi), (a, x 2 )) = ds pe c((a, ^1), (a, 7 2 )) , then 
there is an implementation (p 2 , P 2 ) G |(s 2 , S2)] for which p 2 92, and 

d((^, P[), (g 2 , P 2 )) < A" 1 (e - d Sp ec((a, an), (a, x 2 ))) 
= A _1 (e - d Sp ec((a,h), (a, J 2 ))), 

which, as (<^, P{) G |(ti,Si)] was chosen arbitrarily, entails d t ((si, Si), (s 2 , S 2 )) < 
A" 1 (e - d Sp ec((a, 7i), (a, 7 2 ))) • 

We are ready to show that R is a refinement family. Let (si,s 2 ) G R e G P 
for some e, and assume s\ -'-^1 ii. Let x & I\, then there is an implementation 
(p,P) G [(si,Si)] with a transition p ^ q. Now d t ((p, P x ), (s 2 , S'2)) < e, 
hence we have a transition s 2 --* 2 if with ds pe c((a, a;), (a, 7 2 )) < e. Also for any 

other x' G I\ we have a transition s 2 --^2 if w ith ^Spec((o, x'), (a, If )) < e, 
hence by determinism of S2, 1$ = 7 2 and if = if . It follows that there is a 
unique transition s 2 -'-^ f 2 , and as rfs P ec((c, x), (a, I 2 )) < e for all x G ii, we have 
ds P ec((a,h), (a,h)) < s, and (h,t 2 ) G PA-i(£-ds pe c((a,/i),(M 2 ))) by definition. 

Now assume s 2 t 2 - Let (pi,Pi) G [(si, Si)], then we have (p2,P 2 ) G 

I(*2, S 2 )] with d((p!, Pi), (pa, P 2 )) < e. Now any (p 2 , P 2 ) G [(s 2 , S 2 )] has p 2 ^ 
q2 with x 2 G 7 2 , thus there is also pi ^\ q\ with dspec((«, £1), (a, X2)) < 
e and d((qi, Pi), (g 2 , P 2 )) < A _1 (e - ds P ec((a, (a, x 2 ))) . This in turn im- 
plies that si ^A-i t\ for some xi G 1\. We will be done once we can show 
ds P ec((a, 7i), (a, 7 2 )) < e, so assume to the contrary that there is x[ G I\ with 
ds P ec((a, a;i), (a, h)) > £■ Then there is an implementation (p'i,P{) G |(si,Si)] 
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with p[ q[, hence a transition S2 --*a t'2 with ds pe c((a, ^i)) ( a J ^2)) — e - But 
J2 = I2 by determinism of S2, a contradiction. □ 

4 Complexity of Computing Thorough and Modal 
Refinement Distances 

The complexity results in the next theorem show that modal refinement distance 
can serve as a useful approximation of thorough refinement distance. 

Theorem 3. For finite WMTS Si, S 2 and e > 0, it is EXPTIME-Ziarrf to decide 
whether S% <f S2. The problem whether Si < e m S2 is decidable in NP n CO-NP. 

The fact that computing thorough refinement distance is EXPTIME-hard 
is easy. By [5], deciding thorough refinement for MTS (without weights) is 
EXPTIME-complete. By translating MTS to WMTS with weight on all tran- 
sitions, deciding thorough refinement for modal transition systems polynomial- 
time reduces to deciding whether thorough refinement distance is < 0. 

To show an upper bound on the complexity of computing modal refinement 
distance, we need to introduce discounted values of weighted games, cf. |46j . A 
weighted game graph is a finite real- weighted bipartite digraph (Vi,V2, — >), 
i.e. with Vi r\V 2 = and — > € (Vi x R x V 2 ) U (V 2 X MX V x ) a finite set of edges. 
These are assumed to be non-blocking in the sense that each v € V\ U V 2 has at 
least one outgoing edge v — > w (which is the shorthand for (v, r, w) G — >). 

A Player- 1 strategy in such a weighted game graph is a mapping 0\ : V\ — > 
R X V2 for which (wi,^i(wi)J € — > for each v\ G V\. Similarly, a Player-2 
strategy is a mapping 62 : V% — > R X V\ such that (^2,^2(^2)) € — " for each 
V2 € V2. The sets of all Player-1 and Player-2 strategies are denoted 0\ and 6*2, 
respectively. 

Denote by tgt(e) = w the target of an edge e = (v, r, w) G — > and by 
wt(e) = r its weight. A vertex vq G Vi and a pair (61, 62) G 0i x 6>2 of strategies 
determine a unique infinite sequence (ej(#i, ^2)) - >0 of edges e.j{0\, O2) G — > for 
which 

eo(^i,fe) = (uo,0i(vo)), 
e2j+i(^i,0a) = {tgt(e2j),0 2 (tgt(e2 3 ))), 
e2j(0i,9 2 ) = (tgtfaj-ueiitgt&j-i))). 

In other words, the two players alternate to pick edges in — > according to their 
strategies. The discounted value of the game (Vi, V2, — >) played from vo G V\ 
with discounting factor A, < A < 1, is defined to be 

00 

p(«o,A)= sup inf X 3 wt(ej(9i, 6 2 )). 

We recall the following theorem from |3B]; the complexity result is obtained 
by reduction to simple stochastic games [IB] . 
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Lemma 6 (|46j). The discounted value p(vo, A) may be computed as the unique 
fixed point to the equations 



P(v, A) 



max r + Xp(w, A) if v G Vi, 

V >'U! 

min r + \p(w, A) if v G V%. 



The decision problem corresponding to computing p(vo) is contained in NP n CO-NP. 

Next we present a reduction from modal refinement distance of WMTS to 
discounted values of weighted games, cf. [52] . 

Lemma 7. For WMTS Si , S2 one can construct in polynomial time a weighted 
game (Vi, V2, — >) with a vertex vq G V\ such that d m (Si, S2) = p(vo, vA). 

Proof. Let V\ = Si x S%, Vi = S\ x Si x Spec x {may, must}, and define the 
transitions as follows: 

(si,s 2 ) — > (ti,s 2 ,ki, may 
(si,s 2 ) — > (si,t2,k 2 , mus 
(t 1 ,s 2 ,k 1 ,may) — > {ti,t 2 ) 
(si,t 2 ,k2,must) — > (ti,t 2 ) 
Setting wo = (s?, s°) finishes the construction. □ 

In [32j it is also shown that conversely, computing discounted values of 
weighted games may be polynomial-time reduced to computing simulation dis- 
tance for weighted transition systems, hence we can conclude the following. 

Lemma 8. The decision problem corresponding to computing modal refinement 
distance for WMTS is polynomial-time equivalent to the decision problem corre- 
sponding to computing discounted values of weighted games. 
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5 Relaxation 

We introduce here a notion of relaxation which is specific to the quantitative 
setting. Intuitively, relaxing a specification means to weaken the quantitative 
constraints, while the discrete demands on which transitions may or must be 
present in implementations are kept. A similar notion of strengthening may be 
defined, but we do not use this here. 

Definition 8. For WMTSS, S' ande > 0, S' is an e-relaxation of S if S < rn S' 

and S' <fL S. 
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Hence the quantitative constraints in S' may be more permissive than the 
ones in S, but no new discrete behavior may be introduced. Also note that any 
implementation of S is also an implementation of S', and no implementation of 
5" is further than e away from an implementation of S. The following proposition 
relates specifications to relaxed specifications: 

Proposition 1. If S[ and S' 2 are e -relaxations of S\ and S2, respectively, then 
d m (S u S 2 )-s < dmiSuS^) < d m (S 1 ,S 2 ) and d m (S u S 2 ) < d m (S' 1 ,S 2 ) < 
d m (S 1 ,S 2 ) + s. 

Proof. By the triangle inequality we have 



On the syntactic level, we can introduce the following widening operator 
which relaxes all quantitative constraints in a systematic manner. We write I ± 
S = [x — 6, y + S] for an interval / = [x, y] and S <G N. 

Definition 9. Given 5 £ N, the (^-widening of a WMTS S is the WMTS S +s 
with transitions s --^ t in S +s for all s t in S, and s a -^> t in S +s for all 
s t in S. 

Widening and relaxation are related as follows; note also that as widening is 
a global operation whereas relaxation may be achieved entirely locally, not all 
relaxations may be obtained as widenings. 

Proposition 2. The 5-widening of any WMTS S is a (1 — A) -1 5 -relaxation. 

Proof. For the first claim, the identity relation ids = {( s , s ) I s € S} C S x S is 
a witness for S < m S +s : if s --■» t, then by construction s - k -*+s t with k C k 2 , 
and if s -^+s t, then again by construction s t for some k\ = k 2 . 

Now to prove d m (S +s , S) < (1 — A) _1 (5, wc define a family of relations R — 
{R £ \s> 0} by R e = for s < (1 - A)- 1 ^ and R e = id s for s > (1 - A)- 1 ^. We 
show that R is a modal refinement family. 

Let (s, s) e R £ for some e > (1 — \)~ 1 5, and assume s --^+s t. By construc- 
tion there is a transition s ---> t with dspec(k 2 ,k) < 8 < e. Now 



and (f, t) £ R e , which settles this part of the proof. The other direction, starting 



There is also an implementation-level notion which corresponds to relaxation: 






□ 
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(a) S (b) S +1 



(c) I 

Fig. 8. WMTS S and implementation I for which I £ |[S'] +(1 - Ar **, for <5 = 1 and 
A = .9 (thus (1 - A) _1 <5 = 10), but I £ lS+% so that [S +i ] C [51 +(1_A) ~ lj , even 
though S +s is a (1 — A) - ^-relaxation of 5. 

Definition 10. The e-extended implementation semantics, for e > 0, of a 
WMTS S is lSj +E = {I | I < e m S,I implementation}. 

Proposition 3. If S' is an e-relaxation of S, then \S'\ C [S'] +e . 

Proof. If 7 € IS% then d m (I,S') = 0, hence d m (I,S) < e by Proposition [2 
which in turn implies that I £ ISJ +S . □ 

The example in Figure [S] shows that there are WMTS S, S' such that S' is 
an e-relaxation of S but the inclusion C is strict. Indeed, for 5 = 1 

and A = .9, we have I € [S]+( 1 - A )~ 1 < 5 , but I <£ [£+*]. 

6 Limitations of the Quantitative Approach 

In this section we turn our attention towards some of the standard operators 
for specification theories; determinization and logical conjunction. In the stan- 
dard Boolean setting, there is indeed a determinization operator which derives 
the smallest deterministic overapproximation of a specification, which is useful 
because it enables checking thorough refinement, cf. Theorem |2 Quite surpris- 
ingly, we show that in the quantitative setting, there are problems with these 
notions which do not appear in the Boolean theory. More specifically, we show 
that there is no determinization operator which always yields a smallest deter- 
ministic overapproximation, and there is no conjunction operator which acts as 
a greatest lower bound. 

Theorem 4. There is no unary operator T> on WMTS for which it holds that 

(01 1) D(S) is deterministic for any WMTS S, 

(012) S < m V(S) for any WMTS S, 

(013) S < e m D implies V(S) < e m D for any WMTS S, any deterministic WMTS 
D, and any e > 0. 

Proof. There is a determinization operator V on WMTS which satisfies Prop- 
erties (|4lip and (|4l2p above and a weaker version of Property (14131) with e = 0: 
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dH3) S < m D implies V'(S) < rn D for any WMTS S and any deterministic 
WMTS D. 

This V can be defined as follows: For a WMTS S = (S, s , — >), 

v(s) = (p(s)\m,{8 },~u,^d), 

where V(S) is the power set of S and the transition relations --■»<$ and — >d are 
defined as follows: Let T £ ^P{S) \ {0}) be a state in D'(S). For every maximal, 
nonempty set L a Q {I \ Bs £ T : s for some a £ S, we have T a - u -V d 7^ 
where 7^ = {s' £ S | 3s G T, I G L a : s s'} and (J L a is the smallest interval 
containing all intervals from L a . If, moreover, for each s £ T we have s s' 
for some s' £ T a and some I £ L a , then T °^4°d 7^. It is straightforward to 
prove that T>' satisfies the expected properties. 

Assume now that there is an operator T> as in the theorem. Then for any 
WMTS S, S < m V(S) and thus V(S) < m V(S) by gED, and S < m V{S) 
and hence V'(S) < rn V(S) by ([3I5T1. We finish the proof by showing that the 
operator V does not satisfy (|4l3p . The example in Figure [S] shows a WMTS S 
and a deterministic WMTS f for which d m (V' (S), D) =3 + 3A and d m {S,D) = 
max(3,3A) = 3, hence d m (V(S), D) £ d m {S,D). □ 

Likewise, the greatest-lower-bound property of logical conjunction in the 
Boolean setting ensures that the set of implementations of a conjunction of 
specifications is precisely the intersection of the implementation sets of the two 
specifications. Conjoining two WMTS naturally involves a partial label conjunc- 
tion operator ©. We let (ai, 1%) © (0,2^2) be undefined if ai ^ 02, and otherwise 

{(a, [max(xi,X2),min(j/i,y 2 )]) 
if m&x(xi,x 2 ) < min(yi,y 2 ), 
undefined otherwise. 

Before we show that such a conjunction operator for WMTS does not exist 
in general, we need to define a pruning operator which removes inconsistent 
states that naturally arise when conjoining two WMTS. The intuition is that if 
a WMTS Si requires a behavior si -^>i for which there is no may transition 
S2 --+2 such that k\ © k 2 is defined, then the state (si, s 2 ) in the conjunction is 
inconsistent and will have to be pruned away, together with all must transitions 
leading to it. In the definition below, pre* denotes the reflexive, transitive closure 
of pre. 

Definition 11. For a WMTS S, let pre : 2 s -> 2 s be given by pre(B) = {s £ 
S I s — — > t £ B for some k}. Let £ C S be a set of inconsistent states. If s° (£ 
pre*(i ), then the pruning of S w.r.t. £ is defined by p i (S) — (S p , s°, —* p , — > P ) 
where S p = S\ pre*(i ), —* p = — » n (S p x Spec x S p ) and — > p = — > n (S p x 
Spec x S p ) . 
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/^~\ a. [3, 3] f~>. 

a, [3,6] , \ a, [0,3] 



^C~a a '[°'°] rA 

(a) 5 (b) 27' (S) 

(c) D 

Fig. 9. Counter-example for Theorem g] d m (V'(S),D) = 3 + 3A and d m (S,D) 
max(3,3A) = 3, hence d m (V'(S),D) % d m (S,D). 



Theorem 5. There is no partial binary operator A on WMTS for which it holds 
that, for all WMTS S, Si, S2 such that Si and S2 are deterministic, 

(01) whenever Si A S2 is defined, then Si A £2 <m Si and Si A S2 <m S2, 

(02) whenever S < m Si and S < m S2, then S1AS2 is defined and S < rn S1AS2, 

(03) for any e > 0, there exist £1 > and £2 > such that if Si A S2 is defined, 
S Si and S <f£ S2, then S < e m Si A S2. 

Proof. We follow the same strategy as in the proof of Theorem 0J One can 
define a partial conjunction operator A' defined for WMTS which satisfies Prop- 
erties (HIT]) and (021 as follows: For deterministic WMTS Si and S 2 , Si A' S 2 = 
(Si x S2, (s§, s 2 ), — >) where the transition relations — - > and — > and the 
set i C Si x S2 of inconsistent states are defined by the following rules: 

si s[ s 2 s' 2 ki © k 2 defined si - h --> s[ S2 s' 2 ki © &2 defined 
(s 7 t) k ^(s[,s' 2 ) 

si S2 -- 2 -> s' 2 &i ® ^2 defined 

(si, ^WW) 
si — ^ (fci © /c2 undefined for any k2 such that s 2 -- 2 -> ) 
(si,s 2 ) e i 

S2 (fci © /c2 undefined for any fci such that si — ■» ) 

(si,s 2 ) e i 

Using these properties, one can see that for all deterministic WMTS Si and 
S 2 , S1AS2 < m SiA'S 2 and SiA'S 2 < m SiAS 2 . The WMTS depicted in Figure[[0] 
then show that Property (|5I3[) cannot hold: here, d m (S,Si) — d m (S, S2) = 1, 
but d m (S, Si A S2) = 00. □ 

The counterexamples used in the proofs of Theorems[3]and0are quite general 
and apply to a large class of distances, rather than only to the accumulating 
distance discussed in this paper. Hence it can be argued that what we have 
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(a) S 

Kf!> — 
(c) s-2 



(d) SxAS 2 




(b) Si 



Fig. 10. Counter-example for Theorem[5] d m (S,Si) = d m (S,S'2) = 1, but d m (S,Si A 
5 2 ) = oo. 



exposed here is a fundamental limitation of any quantitative approach to modal 
specifications. 



7 Structural Composition and Quotient 

In this section we show that in our quantitative setting, notions of structural 
composition and quotient can be defined which obey the properties expected of 
such operations. In particular, structural composition satisfies independent im- 
plementability [5] , hence the refinement distance between structural composites 
can be bounded by the distances between their respective components. 

First we define partial synchronization operators © and on specification 
labels which will be used for synchronizing transitions. We let (cii, I\) © (a 2 , I2) 
and (ai, I\) © (02, I2) be undefined if a\ =/= 0,2, and otherwise 

(a, [xx,yx]) © (a, [0:2,2/2]) = (a, [xi + £2,2/1 +2/2]), 



Note that we use CSP-style synchronization, but other types of synchronization 
can easily be defined. Also, defining © to add intervals (and to subtract them) 
is only one particular choice; depending on the application, one can also e.g. let 
© be intersection of intervals or some other operation. It is not difficult to see 
that these alternative synchronization operators would lead to properties similar 
to those we show here. 

Definition 12. Let Si and S2 be WMTS. The structural composition of Si and 
S 2 is S1WS2 = (Si x 5*2, (s?, Sj), Spec, — », — >) with transitions given as follows: 



si ti s 2 --+2 t2 ki © k 2 def. si t\ s 2 -^2 t 2 k\ © k 2 def. 



(a, [xi,yx]) © (a, [£2,2/2]) = 




undefined if x\ — 2; 2 > Hi — 2/2, 

(a, [xi- x 2 , yi -2/2]) if £1 - £2 < 2/1 - Vi- 



(si,s 2 ) ( tl ,t 2 ) 



(Sl,S 2 )"^ (tl,h) 
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The quotient of Si by S 2 is Si\S 2 = p l (Si x S 2 U {u}, (s?, s§), Spec, — — ►) 
urai/i transitions and the set of inconsistent states given as follows: 

si ti s 2 -- 2 *2 t 2 ki © fc 2 rfe/. si ti s 2 -^> 2 t 2 ki © fc 2 rfe/. 

( Sl , S2 ) fc i^ 2 (il)t2) (.si,.s 2 ) fc ^ 2 (ti,* 2 ) 

si — Hi ii Vs 2 —^2 t 2 : ki 9 fc 2 undef. 
(si,s 2 ) e i 

fc £ Spec Vs 2 -- 2 -> 2 t 2 : k(B k 2 undef k e Spec 
(si, s 2 ) ---> u zt — » it 

Note that during the quotient Si \ S 2 inconsistent states can arise which 
are then recursively removed using the pruning operator p, see Definition 1111 
After a technical lemma, the next theorem shows that structural composition 
is well-behaved with respect to modal refinement distance in the sense that 
the distance between the composed systems is bounded by the distances of the 
individual systems. Note also the special case in the theorem of Si < m S 2 and 
5*3 <m S 4 implying Si\\S 3 < m S 2 \\Si. 

Lemma 9. For k\, k 2 , k 3 , ki £ Spec with k\ © k 3 and k 2 © ki defined, we have 

dspecih © fc 3 ,fc 2 © ki) < d S pec(kl,k 2 ) + d Spec (k 3 ,ki). 

Proof. Let ki — (a, [xi, yi\) for all i. We have 

d Sp ec(fci, k 2 ) + d Sp ec(fc3, h) = max(a; 2 - cci,yi - y 2 , 0) + max(i 4 - x 3 , y 3 - y 4 , 0) 

> max ((x 2 - Xi) + (xi - x 3 ), (y x - y 2 ) + (y 3 - y 4 ),0) 
= max ((x 2 + x 4 ) - (xi + x 3 ), (y 1 + y 3 ) - (y 2 + y 4 ),0) 
= d S p ec {k 1 ®k 3l k 2 ®k4). □ 

Theorem 6 (Independent implementability). For WMTS Si, S 2 , S 3 . Si 

we have d m (Si\\S 3 , S 2 \\Si) < d m (Si,S 2 ) + d TO (S 3 , S 4 ). 

Proof. If d m (Si, S 2 ) — oo or d m (S 3 , Si) = oo, we have nothing to prove. Other- 
wise, let R 1 = {Rl C Si x S 2 | e > 0}, R 2 = {R 2 E C S 3 x S 4 | e > 0} be witnesses 
for d m (Si,S 2 ) and d m (S 3 ,Si), respectively; hence (s°,s 2 ) £ R^ ^! s 2 ) e ^ 
and (s^sl) G ^L(S 3 ,S 4 ) e R ' ''■ Define 

R e = {((si,s 3 ),(s 2 ,s 4 )) G Si X S 3 X S 2 X Si | 

(si,s 2 ) G Rl ± £ R 1 ,(s 3 ,s 4 ) e R 2 2 £ R 2 ,ei+e 2 < e) 

for all e > and let R = {R e | e > 0}. We show that R witnesses d m (Si\\S 3 , S 2 \\Si) < 
d m (Si,S 2 ) + d m (S 3 , Si). 

We have ((«?,«§), (a§,«2)) G Rd m (SuS2)+d m (S 3 ,S A ) £ R- Now let 

((si,s 3 ), (s 2 ,s 4 )) G R £ £ R 
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for some e, then (si, s 2 ) G R\ 1 G R 1 and (S3, S4) € i? 2 2 € R 2 for some £1+62 < £• 
Assume (si,s 3 ) fel -+ 3 (ti,t 3 ), then si ti and s 3 - fc - 3 + 3 t 3 . By (si,s 2 ) € 
i?^ G i? 1 , we have s 2 —+2 h with e?spec(fci, fe) < £1 and (<i,i 2 ) € G i? 1 for 
some £j < A _1 (ei — dspec(fci, fe)) ; similarly, S4 - fcj ->4 £4 with <ispec(fc3, £4) < £2 
and (£3,^4) G i? 2 / G i? 2 for some e' 2 < A _1 (£ 2 — ^Spec(fc3, A4)) . Let e' = + e' 2 , 
then the sum fc 2 © kx is defined, and 

e' < A _1 (ei + £ 2 - (rfspec(fci) k 2 ) + d Spec (k 3 , fc 4 ))) 
< A -1 (e - d Sp ec(fci © fc 3 , fc 2 © ki)) 

by LemmalU We have (s 2 , S4) t2 -^ 4 (*2, £4), ^Spec(fci © fc 3 , &2 © fci) < £1 + £2 < £ 
again by Lemma [SJ and ((ti, t 3 ), (t 2 , £4)) G i? £ < G i?. The reverse direction, 
starting with a transition (s 2 ,S4) fc ^4 4 (i 2 ,i4), is similar. □ 

Again after a technical lemma, the next theorem expresses the fact that 
quotient is a partial inverse to structural composition. Intuitively, the theorem 
shows that the quotient S\ \ S 2 is maximal among all WMTS S3 with respect 
to any distance 5 2 ||5 3 < E m S\\ note the special case of S3 < m S\ \ S 2 if and only 
if S 2 \\S 3 < m Si. 

Lemma 10. If kx,k 2 ,k 3 G Spec are such that k\ © k 2 and k 2 © k 3 are defined, 
then ds P ec{k 3 ,ki © k 2 ) = ds pec (k 2 © k 3 ,ki). 

Proof. We can write ki = (a, [xj,t/i]J for some a G S. Then 
ds P ec(k 3 ,ki © k 2 ) = max ((xi - x 2 ) - x 3l y 3 - (yi - y 2 ),0) 

Xi — x 2 — x 3 if Xi — X 2 — X 3 > 0, 

xi - x 2 - x 3 > y 3 - yi + y 2 : 

2/3 - 2/1 + 2/2 if 2/3 - yi + yi > o, 

2/3 - yi + yi > xi - x 2 - x 3 ; 

if xi — X2 — x 3 < 0, 

2/3 - 2/1 + 2/2 < 0. 

Similarly, 

ds P ec(k 2 © k 3 ,h) = max (x\ - (x 2 + x 3 ), (y 2 + y 3 ) - yx,0) 

x\ — x 2 — x 3 if xi — X2 — x 3 > 0, 

xi - x 2 - x 3 > y 2 + y 3 - y x ; 
2/2 + 2/3 - 2/1 if 2/2 + 2/3 - 2/1 > 0, 

2/2 +2/3 -2/1 > Xx - x 2 - x 3 ; 
if xi — x 2 — x 3 < 0, 

2/2 + 2/3 ~ 2/1 < 0. □ 

Theorem 7 (Soundness and maximality of quotient). Let Sx, S 2 and S 3 

be locally consistent WMTS such that S 2 is deterministic and S\ \ S 2 is defined. 
Ifd m (S 3 ,Sx \ S 2 ) < 00, then d m (S 3 ,Sx \ S 2 ) = d m (S 2 \\S 3 ,Sx). 
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Proof. To avoid confusion, we write — H and — K for transitions in Si \ S2 
and and — >\\ for transitions in S^HS^. The inequality d m (S 3 ,Si \ S2) > 
d m {S 2 \\S 3 , Si) is trivial if d m (S 2 \\S 3 , Si) = 00, so assume the opposite and let 
R 1 = {Rl CS 3 x (Si x S 2 U {u}) I e > 0} be a witness for d m (S 3 , Si \ S 2 ). 
Define R 2 = { ((s 2 , s 3 ), si) | (s 3 ,(si,s 2 )) € i?^} C S 2 x S* 3 x 5i for all e > 0, 
and let i? 2 = {i? 2 | e > 0}. Certainly s§), s?) S fljw S3 Sl » Sj) € R 2 , so let 
now ((s2, S3), si) £ R 2 £ R 2 for some e > 0. 

Assume (s 2 ,s 3 ) fc 2?l 3 || (i 2 ,£ 3 ), then also s 2 -- 2 -> 2 t 2 and s 3 -- 3 -> 3 i 3 . We have 

(s3,(si,s 2 )) S ^i) so there is (si,s 2 ) fci -^ 2 \\ (ii,i' 2 ) for which d Spe c(fc3,fci © 
/c 2 ) = ds P ec(k 2 ffi k 3 ,ki) < e and such that (i3,(ti,i 2 )) £ i?^, G i? 1 , hence 
((t' 2 ,t 3 ),ti) £ R\, € i? 2 , for some e' < A _1 (e - ds pec (k 2 © fe, fci))- By definition 

of quotient we must have si --->i ti and s 2 -- 2 -> 2 t' 2 , and by determinism of S 2 , 
k' 2 = k 2 and t' 2 = t 2 . 

Assume si —^1 t\. We must have a transition s 2 —^2 i 2 for which ki k 2 is 
defined. Hence (si, s 2 ) fc J^ 2 ^ (ii,i 2 ). This in turn implies that there is S3 -^3 £3 
for which (ispec(fc3, fa © k 2 ) = ds pe c(k 2 ffi fc 3 , ki) < e and such that (t 3 , (ti,t 2 )) £ 
i?*, E R 1 , hence ((t 2 ,t 3 ),ti) £ R 2 , £ R 2 , ior some e' < X' 1 (e-d Spe c(k 2 ®k 3 ,ki)) , 
and by definition of parallel composition, (s 2 ,S3) fc ^4 3 || (t 2 ,t 3 ). 

To show that d m (S 3 ,Si \ S 2 ) < d rn (S 2 \\S 3 , Si), let R 2 = {R 2 C S 2 x 
S3 x Si I e > 0} be a witness for d m {S 2 \\S 3 , Si), define Rl — { (s 3 , (si, s 2 )) | 
((s 2 ,s 3 ),si) £ i? 2 }u{(s 3 ,w) I s 3 £ S3} for alls > 0, and let R 1 = {Rl \ e > 0}, 
then (si (si s^eR^^^eR 1 . 

For any (S3, u) € i?* for some e > 0, any transition S3 -- 3 ->3 £3 can be matched 
by u - 3j >\ u, and then (£3, u) £ Let now (53, (si, s 2 )) £ Rl for some e > 0, 
and assume S3 -- 3 ->3 t 3 . If k 2 ffi &3 is undefined for all transitions s 2 -- 2 -> 2 i 2 , 
then by definition (si,s 2 ) - fc --> u, and again (t 3 ,u) £ If there is a transition 
s 2 -- 2 -> 2 t 2 such that fc 2 ffi k 3 is defined, then also (s 2 , S3) fc --* 3 || (i 2 , i 3 ). Hence we 
have si -*-->i ti with ds P ec(k 2 ffi k 3 ,ki) < e, implying that (si,s 2 ) fc A-$ 2 ^ (ii,t 2 ). 
Hence d Spe c(fc3,fci © k 2 ) = d Spe c{k 2 ffi fc 3 ,fci) < £■ Also, ((t 2 ,t 3 ),ti) £ R 2 , £ R 2 , 
hence (t 3 , {ti,t 2 )) £ R 1 ^ £ R 1 , for some s' < A _1 (e — ds pe c{k 3 , ki © k 2 )). 

Assume (si,s 2 ) k i^ 2 ^ (ti,t 2 ), hence we have si ii and s 2 -^» 2 i 2 . It 

follows that (s 2 , s 3 ) fc J®^ 3 || (t' 2 ,t 3 ) with ds P ec(/c 2 ffi fc 3 , ki) = d Spe c(k 3 , ki © k' 2 ) < e 
and such that ({t' 2 ,t 3 ),ti) £ R 2 , £ R 2 , hence (t 3 , (ti,t' 2 )) £ R^ £ R l , for some 
e' < A _1 (e — dspec(^3, ki © k 2 )). By definition of parallel composition we must 

have s 2 -~^ 2 t' 2 and S3 -^>3 ^3, and by determinism of S 2 , k' 2 = k 2 and t' 2 = t 2 . 

□ 

The example depicted in FigurefTTIshows that the condition d m (S 3 , Si\S 2 ) < 
00 in Theorem[7]is necessary. Here d m (S 2 \\S 3 , Si) — 1, but d m (S 3 , Si \S 2 ) = 00 
because of inconsistency between the transitions si a - l -S\ ti and s 2 a --i ] 2 t 2 for 
which ki © k 2 is defined. 
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/7\ [0,0] ^ ^ a. [0,1] STs 




(a) Si (b) S 2 



(c) 5 3 




->- ((«i,*0) 



(d) S 2 ||S 3 



(e) S 1 \S 2 



Fig. 11. WMTS for which d m (5 2 ||S 3 , Si) ^d m (S 3 ,Si \ S 2 ) = oo. 

As a practical application, we notice that relaxation as defined in Section [5] 
can be useful when computing quotients. The quotient construction in Defini- 
tion introduces inconsistent states (which afterwards are pruned) whenever 
there is a must transition si — s'i such that k\ hi is undefined for all tran- 
sitions S2 —^2 s 2- Looking at the definition of 0, we see that this is the case if 
ki = (oil [xi, J/i]) and &2 — (ct2, [X2, 2/2]) are such that a\ ^ 02 or xi — 0:2 > Vi—y2- 
In the first case, the inconsistency is of a structural nature and cannot be dealt 
with; but in the second case, it may be avoided by enlarging k%: decreasing X\ 
or increasing yi so that now, x\ — X2 < yi — 2/2 • 

Enlarging quantitative constraints is exactly the intuition of relaxation, thus 
in practical cases where we get a quotient S'i \ S2 which is "too inconsistent" , we 
may be able to solve this problem by constructing a suitable e-relaxation S[ of 
S\. Theorems [S] and [7] can then be used to ensure that also S[\S2 is a relaxation 
of Si \\ S 2 . 

8 Logical Characterizations 

We now turn our attention to showing that quantitative refinement admits a 
logical characterization. Our results extend the logical characterization of modal 
transition systems in [31) . by abandoning the usual Boolean interpretation of 
logical satisfaction, as we did for refinement, and instead interpreting each for- 
mula as a map assigning to states a real- valued number denoting the relationship 
between the property and the state. The logic C is the smallest set of expressions 
generated by the following abstract syntax: 



As usual, when £ = (a, [x±, X2]), writing (£)cj> means that we insist on implemen- 
tations exhibiting a transition which reaches a state having property and is 
labeled by a and an integer x for which x\ < x < X2- Dually, [£]<p restricts the 
set of implementations to those where every transition labeled with a and an 
integer in [xi,X2] reaches a state with property 0. 

With this standard (informal) interpretation of logical specifications, imple- 
mentations which come close to matching the specification are rejected just as 
much as the truly wrong implementations. Analog to our refinement distance, a 



',01,02 ■= 



tt\ff\ (£)$ I [£]<P I </>! A 02 I 01 V 02 



(£ e Spec) 
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quantitative interpretation provides us with continuous judgments on the rela- 
tionship between a specification S or implementation I and a logical specification 
(j). Defining the semantics of formulae as a map from states to reals, the value 
of any <fi for the initial state of implementations determines an order on the ap- 
plicability of the implementations for the given specification. The semantics of 
a formula <p € C is a mapping \4>\ : S — >• R>o U {00} given inductively, again 
relative to the discounting factor A with < A < 1, as follows: 

lit\s = Iffjs = 00 

[(</>i A fc)} s = max([^] S , {<g 2 a) pi V fajs = min([^] S , 

l(t)cf>} S = mi{d Spec (k,£) + Xlcgt) I s -±> t,d Sp ec(k,£) ? ^} 

[[£\4>]s = SUp{rf S pec(fc, £) + Xl(gt \s-±+t, d Sp ec(k, £) £ ^} 

Intuitively, [[£]0Js takes the value of the supremum over all outgoing s t 
transitions and the respective match with x € [xi,x 2 ] plus the discounted value 
of the property <j> for t. Clearly if [[^]</>Js = then every s t satisfies the 
property exactly, recovering the standard interpretation. Notice that by evalu- 
ating a logical specification <j> for a WMTS specification S, we get a measure on 
the set of implementations of S which are not shared by the specification (f>. The 
value is if and only if there is a thorough refinement from S to cf>, i.e. if and 
only if any implementation of S satisfies (p. 

For a SMTS S we write fcpJS = [</>]] so- The first theorem below expresses 
the fact that L is quantitatively sound for refinement distance, i.e. the value of 
a formula in a specification is bounded by its value in any other specification 
together with their distance. Note the special case that S < m T implies fcpJS < 
MT. 

Theorem 8. For all <p e C and WMTS S, T, [0]S < \<p\T + d m (S,T). 

Proof. By standard structural induction in <p. The claim obviously holds for 
<p = tt and = ff. 

For <p = 0iA02, the induction hypothesis that [<fo]si < \(j>i\s2+d m {s\, s 2 ) for 
i = 1,2 implies that also max([^i]]si, |0 2 ]si) < max([^i]s 2 , \4>2\s2)+d m {si, s 2 ). 
Similarly for (p — <pi V <f>2 ■ 

For the case <p = (l)(f>', if rf TO (si,s 2 ) — 00 or if there are no transitions 
S2 — > the claim is trivial. Let thus s 2 then there exist s\ t\ with 

rfs P ec(fci, k 2 ) + Xd m (ti,t 2 ) <d m (si,s 2 ) (by definition oid m ). 

Then dspec(fei^) + A[^]ti < {d Spec (ki , k 2 ) + Xd m (t 1 ,t 2 )) + {d Spec (k2,t) + 
A[<^']f 2 ) by induction hypothesis and the triangle inequality for e?spec, hence 

<fcpec(fci,*) + Wih < d m ( Sl ,s 2 ) + d Sp ec(k 2 ,e) + XWjt 2 . As s 2 -*2> t 2 was 
arbitrary, this entails inf{ds P ec(ki, I) + A[0']]ti I s i *i} < inf{c?Spec(fc2, t) + 
\\4>'\t2 I si t 2 } + ^m(si, s 2 ), which was to be shown. 

For the case of <j> = the proof is similar: We have nothing to prove 
if dm(si,s 2 ) = 00 or if there are no transitions si t\ with e?spec(fci,^) 7^ 
00, so assume there is such a transition. Then we also have s 2 -- 2 -> t 2 with 
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(ds P ec(fci, k 2 )+Xd m (t ll t 2 )) < d m (s 1 ,S2), andrfs P ec(fci,^)+A|</)']|ti < (ds P ec(&i, k 2 )+ 

Ad m (ti,t 2 )) + <fepec(*2,^) + A[0 / It2 < d m (sx,S 2 ) + dspec(k2,i) + XWlt2- □ 

The next theorem shows that the disjunction- free fragment of C is also quan- 
titatively implementation complete, i.e. the value of any disjunction-free formula 
in a specification S is bounded above by its value in any implementation of S. 
Note that disjunction- freeness is a common assumption in this context, cf. [3118] . 

Theorem 9. For all disjunction-free £ £ and locally consistent and compactly 
branching WMTS S, we have [0J5 = sup Jg j S j [0]]/. 

Proof. Since d m (I, S) = for all I <= [5], Theorem 1 entails [0]/ < [0JS, hence 
also sup Jg j S j[0J/ < [01 5. To show that [0]5 < sup Jg j s j [0]/ we use structural 
induction on 0. If = ft, both sides are 0, and if = j[f , both sides are oo, so 
the induction base is clear. 

The case = 0i A 02 is also clear: By hypothesis, [0i]5 < sup /g js] [0i]/ 
and similarly for 02, hence 

[0]5 = max(l<H]S, IfcJS) < max( sup [0!]/, sup [0 2 ]/) 

iefsj ieisj 

= sup max([0i]7, [0 2 JI). 
ielS} 

For the case = (£}(f>' , we are done if [0]5 = 0. Otherwise, to conclude that 
sup Jg j S j[(£)0']7 > [[(^)0'] 5 we expose an I £ [S] for which a < [0]/ for any 
a < [01S 1 . For a fixed a < [0JS, start by letting 7 = {z } and — ►/ = 0. 

Now for each transition sq -^s t we have a < <ispec(fc,^) + A[0']i, so (as- 
suming for the moment that \4>'\t ^ 0) by the density of the reals, there is 
a number a' k < [01 1 for which a < ds pec (k,£) + \a' k . By induction hypothe- 
sis, the sub-formula 0' satisfies sup Jg j S /] [0'] J = [0']S" for any S', specifically 
when 5" = (t, S) is taken as S with initial state replaced by t. Therefore, and 
as a' k < [0'Jt, there exists a J € [(t, 5")J with a' k < [01 J. Now let n G Imp 
with n \— k be such that ds pe c(n,£) + A[0'JJ = ds pe c{k,£) + A[0'JJ, and add J 
together with a transition io — jo to 7. 

In case [0']t = 0, we have J £ [i, S]] with [0']J = 0, and we can add J 
together with a transition io — jo to I as above. 

For the so-constructed implementation I we have 

[0p = mf{d Spec (mJ) + A[0']j | *„ ^ j} 

= mi{d Spec (k,£) + A [01 J | So -i+ s i, J £ It, SI y\t = oo or a' k < [0'] J} 
> inf ({d Sp ec(k, I) + Xa' k \ s ^ s t} U {d Spec (k, £) + A[0']t}) > a, (4) 

the strict inequality in Q because S 1 is compactly branching. 

For the case = [£]0', let again a < [0]5, and let I € [5] be any implemen- 
tation. If ds P ec{k,£) + A[0']f = oo for all sq --+s t, then [0]S < = sup0 = and 
we are done. Otherwise let s —+s t be such that \(j)\S = ds pec (k,£) + A[0']t, 
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which exists because S is compactly branching. Then a < ds pec (k,£) + A[<//]f, 
so (assuming that [<//]t 7^ 0) we have a' k < {(p'Jt with ds P ec(k,£) + Xa' k > a. 

Let J £ ft, SI such that a' k < [</>']] J, let n g Imp with n C k be such that 
dspec{nj^) + A \4>' J J = ds P ec(k,£) + A [[<//]] J, and add J together with a transition 
iq — ^1 jo to /. Then 

[0]/ = SU P {d S pec(m^) + A[0> I i j} 

> d Spec (n, + X l<t>V = rfs P ec(fc, + A|^'] J > £, tt' fc ) > a. 
In case = instead, we again take some J £ ft,SJ, and then > 

rfSpec(fc,^) + XW¥ > □ 

Other notions of completeness (see e.g. [7]) are subject of future work. 
9 Conclusion and Further Work 

We have shown in this paper that within the quantitative specification framework 
of weighted modal transition systems, refinement and implementation distances 
provide a useful tool for robust compositional reasoning. Note that these dis- 
tances permit us not only to reason about differences between implementations 
and from implementations to specifications, but they also provide a means by 
which we can compare specifications directly at the abstract level. 

We have shown that for some of the ingredients of our specification theory, 
namely structural composition and quotient, our formalism is a conservative 
extension of the standard Boolean notions. We have also noted however, that for 
detcrminization and logical conjunction, the properties of the Boolean notions 
are not preserved, and that this is a fundamental limitation of any reasonable 
quantitative specification theory. The precise practical implications of this for 
the applicability of our quantitative specification framework, and perhaps how 
to circumvent these limitations, are subject to future work. 
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